On the surface, this seems like a relatively straightforward problem to solve: Just change your password or unplug the devices, right? Except the issue here is two-fold. Not only are the devices sometimes solely controlled by the abuser, but oftentimes making these changes will result in even worse abuse, especially if the couple is still living together. Asking these victims to stop using the devices is like telling them to just leave their abuser; these situations are usually much more complex, and the victims could be putting their lives in danger by doing either.
"It is very hard to give broadly applicable security advice to victims of domestic abuse, because every victim has to judge how much independence they have from their abuser and whether or not taking action to will cause them to back off or spur them to even more drastic action," said Eva Galperin, director of cybersecurity for the Electronic Frontier Foundation.
But let's assume a scenario where there's still some recourse. In that instance, pretty much every security expert Engadget interviewed said that the best tool one can have is an awareness of both their devices and surroundings. Everyone should know how many smart home products are in their house. If possible, they should get a unique credential and password for each household member so not one person is controlling the device. "Find out how it works, how it's configured, how you can get into it and how they could be shut off," said Jonathan Knudsen, a senior security strategist for Synopsys, a software and security company.
If the abusive partner has left the home and the remaining person wants to continue using the same devices -- say it's something difficult to remove like a connected doorbell or a smart thermostat -- experts say they could try resetting them to factory settings. "Make sure to hard-reset the device and update the username and password," said Sam Levin, a community specialist for Independent Security Evaluators. At DEFCON, Levin also runs the IOT Village event, which helps researchers improve the security of smart home devices. "Another countermeasure not to be overlooked would be to replace any devices since they may have been physically tampered with in such a way that they would remain compromised even after a hard reset," he added.
As mentioned, however, changing passwords and doing a factory reset aren't options for everyone. There is no one-size-fits-all solution for domestic abuse.
"Women can end up looking paranoid," said Ruth Patrick, a CEO of WomenSV, a Silicon Valley domestic violence program. This is especially the case with abuse involving the smart home because complaining about things like lights turning off and on can make someone seem crazy. To help curb this, Patrick suggests that victims work with a domestic violence advocate who's savvy about these technologies. "Reach out to them or the police, and present yourself as a sane, competent person. Keep calm," she said. "Get emotional support. Work with a therapist if you can."
Additionally, Patrick advises abuse victims go as low-tech as possible. "If they have a sensitive appointment like interviewing attorneys or meeting a counselor, park several blocks away and put all the electronics in the trunk," she said. Other tips include using a pad and paper to take notes, getting a flip phone instead of a smartphone and checking their belongings for trackers like RFID tags and Bluetooth fobs. Patrick also says they should avoid transportation like Uber or Lyft that uses an app, just in case that can be used to track them. "Even the Tesla app can be used to see where you're going in real time."
If they can afford it, Patrick recommends the use of a private investigator with expertise in counter-threat measures. The investigators can sweep cars and houses to make sure there are no hidden cameras or microphones, or signs of electronic tampering.
It's unfortunate that victims have to go through such lengths to get away from constant surveillance, but this is the reality many abused people are living in. Even when tech companies run threat analysis assessments on their products, they often run tests against hackers or threat actors, not abusive exes. It's not a topic that has come up in previous IOT Village events, according to Levin. There is research being done on the topic at the university level, but this is an issue that tech companies have mostly been silent on.
Engadget has reached out to Google, Amazon and various smart home manufacturers about any efforts to curb abuse and have not heard back at the time of publication. The only company to get back to us was Simplisafe, which specializes in home security. It said that in a situation where an abusive ex is misusing the technology, the remaining home owner could call in with a predetermined safe word in order to cancel service or reset PINs and passwords.
"We dealt with a divorce situation in the past where we sent a free system to a customer that she could activate under her own e-mail and service plan, while giving her tech support for removing equipment in her home that she could not control," said Melina Engel, Simplisafe's Chief Marketing Officer. "Tech alone doesn't work in a situation like this. You can't AI your way out of this. But having real people on the phone who can listen to you and care for you can help."
Not every company has the same philosophy, however. "Unfortunately, high-tech companies are designing their technology with making life 'easier' in mind," said Patrick. "They're not considering that it can be used for ill purposes like this."
If you or someone you know are yourself in an abusive situation, the National Domestic Violence Hotline offers 24/7 support at 1-800-799-7233 and 1-800-787-3224. Live chat is available online from 7AM to 2AM Central Time if making a phone call isn't possible.